[00:04.730 --> 00:07.810]  Hello everyone, this is Mike Vangardi with the Boeing Company.
[00:07.890 --> 00:10.470]  And I'm here to talk to you about product cybersecurity,
[00:10.470 --> 00:16.050]  specifically the Secure Airplane Development Lifecycle used within Boeing Commercial Airplanes.
[00:18.900 --> 00:22.500]  And as a short primer on what I'll be talking about today,
[00:23.260 --> 00:27.600]  everybody I think understands that the aviation industry is focused on safety.
[00:28.340 --> 00:31.060]  Everybody in the Boeing Company works hard to achieve this.
[00:31.380 --> 00:34.740]  We also have a new concept called the E-Enabled Aircraft.
[00:34.740 --> 00:39.820]  And what I mean by that is that we now have airplanes that have off-board connectivity,
[00:39.820 --> 00:46.520]  that may employ the use of commercial off-the-shelf software and services like the Internet Protocol Suite.
[00:48.080 --> 00:50.680]  But so with the good comes the bad though, right?
[00:50.960 --> 00:55.540]  Because of this, we now need to contend for cybersecurity threats.
[00:56.260 --> 01:00.740]  And so the way airplanes are developed now need to take this into consideration.
[01:00.740 --> 01:05.680]  And so malicious intent via cyber methods is an air concern that needs to be accounted for
[01:05.680 --> 01:08.200]  during design, development, test, and analysis.
[01:12.530 --> 01:17.850]  So developing a product that is both safe and secure is of the utmost importance to the company.
[01:17.850 --> 01:24.610]  We also need to protect our airline customers, protect our brand, and the aviation system as a whole.
[01:24.990 --> 01:27.830]  In order to do this, we need to secure the airplane,
[01:27.830 --> 01:31.590]  but we also need to secure those data links, that connectivity,
[01:31.590 --> 01:36.770]  and build a company culture that puts security right up there where safety is today.
[01:36.870 --> 01:41.290]  Only then can we truly have an airplane that's secure throughout its entire life cycle.
[01:45.610 --> 01:50.770]  Now it sounds simple, right? So let's talk about the complexity and what this really means.
[01:51.130 --> 01:56.450]  Now this chart really kind of shows that aviation is pretty large in scope,
[01:56.450 --> 01:59.830]  and you can have all the security you want on the aircraft,
[01:59.830 --> 02:04.630]  but if we don't do our part to the rest of the ecosystem, meaning the ground systems,
[02:04.630 --> 02:11.130]  maintenance, you know, the federated systems that might come in through STATCOM or Global Navigation,
[02:11.130 --> 02:14.590]  then we're not as secure as we need to be.
[02:14.590 --> 02:22.050]  And so Boeing is spending a lot of effort and time working across these different parts of aviation.
[02:22.710 --> 02:28.470]  And again, we'll talk about some of that stuff here in the next few slides.
[02:30.790 --> 02:37.470]  And so as I kind of talked about connectivity, we have seen a growth in this in the enabled aircraft.
[02:38.170 --> 02:43.670]  Unfortunately, with all the good, you know, comes the need to drive cyber protections now.
[02:43.910 --> 02:47.990]  And so this is a new norm within aviation.
[02:48.090 --> 02:53.530]  Like there was a time when cybersecurity wasn't a big deal, but those days are long gone.
[02:53.570 --> 02:57.570]  And so this is going to require protections that are both on the airborne assets,
[02:57.570 --> 03:00.830]  you know, the avionics, the airplane systems, and those type of devices,
[03:00.830 --> 03:05.930]  as well as processes and controls on the ground-based systems.
[03:06.390 --> 03:11.650]  To achieve this, you know, because airplanes are a global commodity that fly all over the world,
[03:12.090 --> 03:14.890]  information sharing is one of those key enablers.
[03:15.030 --> 03:21.070]  You know, we partnered with the Aviation Information Sharing and Analysis Center to get some good threat intelligence
[03:21.070 --> 03:25.150]  and basically just to build trust and relationships.
[03:25.150 --> 03:31.930]  So in the case of a cyber event, you know, that can affect multiple stakeholders in this industry,
[03:31.930 --> 03:36.530]  we have those relationships to be able to, you know, share that data.
[03:36.730 --> 03:39.650]  And we're actually getting to the point where with the connectivity,
[03:39.650 --> 03:46.330]  we're now going to need a way to manage all these connectivity solutions and basically the networks,
[03:46.330 --> 03:48.850]  just like we do on traditional ground systems.
[03:49.310 --> 03:51.410]  So that's definitely going to be the norm.
[03:51.410 --> 03:57.930]  Then I got a couple of these line charts to just show the relationship right now between safety and security.
[03:57.930 --> 04:00.290]  So on the left, we have safety events.
[04:00.290 --> 04:05.050]  And what you'll see is that over time, those safety events become less common.
[04:05.050 --> 04:10.830]  And actually, you know, based on good learning from mistakes, learning from history,
[04:10.830 --> 04:14.070]  you know, they tend not to re-show up or repeat themselves.
[04:14.850 --> 04:19.830]  Conversely, though, on security, though, you know, we know that they attack surface grills over time.
[04:19.830 --> 04:25.430]  And so in the case of an aircraft, which typically has a life cycle of, you know, close to 30 plus years,
[04:25.430 --> 04:29.950]  if you were to never update, you know, the systems on the airplane,
[04:29.950 --> 04:37.210]  what kind of security issues might have popped up in between the initial certification and that time frame?
[04:37.210 --> 04:40.090]  So we know that that's an issue to solve.
[04:40.090 --> 04:41.770]  And we are working towards that.
[04:41.770 --> 04:46.410]  And I'll kind of talk a little later about what we've done to help mitigate that.
[04:48.490 --> 04:53.370]  Now, Boeing Commercial Airplanes has been involved with network security since 1994.
[04:53.630 --> 04:58.710]  That was when we first released the white paper for the 777 that really looked at what would happen
[04:58.710 --> 05:03.730]  if you used a tamper maliciously or intentionally tamper with software.
[05:04.570 --> 05:08.930]  So we had some lessons learned from that. It kind of opened the eyes to some of our designers.
[05:09.470 --> 05:13.590]  Then came the 787 with the E-Enabled, the first E-Enabled platform.
[05:13.590 --> 05:20.010]  And we've actually continued to, you know, add those type of systems to the rest of our fleets.
[05:20.010 --> 05:23.790]  So the 377s and 777s and 477-8s.
[05:23.790 --> 05:30.690]  And essentially, the FAA at the time has realized that, you know,
[05:30.690 --> 05:36.310]  existing regulations did not adequately account for intentional misuse.
[05:36.430 --> 05:38.510]  And so we have something called special conditions.
[05:38.510 --> 05:42.390]  Those are the requirements laid on us by our regulator.
[05:42.390 --> 05:44.530]  They kind of fit into two different buckets.
[05:44.530 --> 05:48.670]  Protect the aircraft from internal passenger access, those that want to do harm.
[05:48.810 --> 05:53.070]  Protect the aircraft from those trying to attack it external to the aircraft.
[05:53.610 --> 05:57.350]  And so right now, we're actually in the 2020 timeframe.
[05:57.810 --> 06:01.970]  We have some new guidance coming out that is a little more inclusive.
[06:01.970 --> 06:04.730]  And talking about securing the whole ecosystem.
[06:04.730 --> 06:08.210]  I'll talk about those standards here in a bit.
[06:10.710 --> 06:16.210]  And so let's talk about what it means to have a secure aircraft architecture.
[06:16.690 --> 06:22.350]  And so one of the things that airplanes are built around is something called domain model.
[06:22.350 --> 06:27.730]  And they're specific to define an A-ring 6-6-4-4-5.
[06:27.730 --> 06:30.710]  I have a diagram on the next slide that will give a little more explanation.
[06:30.710 --> 06:33.470]  But essentially, there are three different trust levels on the aircraft.
[06:33.470 --> 06:35.770]  You have your front of aircraft, the aircraft control domain.
[06:35.770 --> 06:42.890]  Those are systems that really have a command and control impact to the aircraft.
[06:42.890 --> 06:47.450]  You have those that sit in the airline information systems domain or services domain.
[06:47.450 --> 06:53.070]  Those are systems that are used to support maintenance or aircraft efficiencies and whatnot.
[06:53.070 --> 06:58.410]  Then we got the PIS domain or passenger and information entertainment systems domain.
[06:58.670 --> 07:01.550]  Now, each of these domains has different trust levels.
[07:01.550 --> 07:07.890]  And they also have different designs and protections to mitigate any intentional cyber intrusions.
[07:07.890 --> 07:15.630]  These protections, along with some administrative physical access and operational controls,
[07:15.630 --> 07:19.830]  are what holistically together provide security for an aircraft.
[07:21.290 --> 07:26.050]  Now, as I briefly just talked about on the previous slide,
[07:26.050 --> 07:30.610]  the A-ring 6-6-4-4-5 model is something that's in a published specification.
[07:31.750 --> 07:36.530]  Actually, this view right here, I kind of broke it into different views.
[07:36.570 --> 07:40.670]  A security view, responsibility, airline officer roles and functions.
[07:40.670 --> 07:45.810]  This is similar to a software architecture design pattern, say a 4-plus-1,
[07:45.810 --> 07:51.930]  where you have different concurrent views to account for different aspects of those domains.
[07:51.930 --> 07:56.590]  So, in the security view, we have what is done in the closed part of the network, the aircraft.
[07:56.590 --> 07:58.330]  That's done by the airframer.
[07:58.330 --> 08:05.390]  We have those responsibilities that are done on the private side, which are those for the airline to control.
[08:05.550 --> 08:08.690]  And then we have things, you know, the passengers.
[08:08.690 --> 08:14.410]  As myself, I'm a passenger. I have the freedom to bring my own devices, whether it's a cell phone or a tablet.
[08:14.770 --> 08:21.370]  If I'm on the ground, I can use AT&T or Verizon, you know, to connect to the Internet or other stuff like that.
[08:21.370 --> 08:27.130]  So, there's different trust domains. They have different roles, and they each come with their own different threats.
[08:30.360 --> 08:37.940]  To give a little more granular view on the connectivity and how they relate to the aircraft domains,
[08:37.940 --> 08:42.460]  this is a pretty busy chart, but it just kind of shows you there's a lot happening right here.
[08:42.460 --> 08:46.380]  So, on the far left in the red, that's our aircraft control domain.
[08:46.380 --> 08:54.060]  Those are systems that are, again, needed for safety of flight, typically, and command and control of the aircraft.
[08:54.200 --> 08:58.820]  Some of the data links that are used on there are your LBAN, SATCOM for safety services.
[08:58.820 --> 09:03.940]  That would encompass things like ATN-OSI, ACARS.
[09:03.940 --> 09:13.480]  It will make use of mediums like VHF if you're over terrestrial networks, SATCOM if you're oceanic.
[09:13.480 --> 09:17.800]  You then have the middle of the airplane, which is AISD.
[09:17.800 --> 09:25.260]  There's a lot of different ground network interfaces for that, mostly broadband, anywhere from cellular to Wi-Fi.
[09:25.300 --> 09:27.740]  You also can use SATCOM in that regard.
[09:28.600 --> 09:32.040]  That SATCOM, though, is a KUKABAN SATCOM.
[09:32.040 --> 09:40.080]  Again, that domain is mostly for airline operational use to support flight crew, maintenance crews, and cabin crews.
[09:40.080 --> 09:44.040]  And then at the backside of the aircraft, we have, again, the entertainment domain.
[09:44.040 --> 09:48.900]  And this is what, as a flying passenger, if you've ever wanted to get internet access while you were flying,
[09:48.900 --> 09:53.160]  you're going to connect to your IFAC, your flight entertainment connectivity server.
[09:53.160 --> 09:58.460]  That's going to, again, normally be a third party like Iridium or MRSAT.
[09:58.680 --> 10:00.520]  That's going to provide that for you.
[10:05.020 --> 10:11.120]  Now, this Venn diagram right here is to just kind of show the intersection of two main things.
[10:11.120 --> 10:20.080]  So we all know that aviation safety is by far the main focus of all regulations in commercial airlines or commercial aviation.
[10:20.280 --> 10:28.040]  But then we also have a lot of these other systems on the aircraft that maybe have nothing to do with safety,
[10:28.040 --> 10:33.800]  and they're just for quality or passenger experience.
[10:33.800 --> 10:36.220]  That's the aviation cybersecurity.
[10:36.500 --> 10:40.040]  Again, there's not a whole lot of regulations around that.
[10:40.040 --> 10:44.820]  But in that intersection, that inner circle, is where we have our aviation cybersafety.
[10:44.820 --> 10:47.540]  And these are under purview of the regulator.
[10:47.960 --> 10:57.800]  And this is really making sure that systems that have a criticality associated with them based on their design assurance level,
[10:57.800 --> 11:02.720]  that those systems are robust against cybersecurity concerns.
[11:02.720 --> 11:09.680]  In other words, to say that is to reduce the chance or likelihood of a safety event happening in these cyber lanes.
[11:09.680 --> 11:12.440]  So that's, again, a new area that's getting a lot of focus.
[11:12.440 --> 11:18.680]  That's where Boeing and its trusted partners spend a lot of time focusing on.
[11:20.740 --> 11:26.300]  And so what else is Boeing doing right now to get to that secure and safe aircraft?
[11:27.020 --> 11:29.760]  We actually do the airplane certification.
[11:29.760 --> 11:38.340]  Something that is different than a typical airplane certification is now there is a separate activity to account for the security aspects.
[11:38.340 --> 11:44.640]  So almost like a security certification just to look at the malicious misuse.
[11:45.040 --> 11:52.140]  This demonstrates the security compliance and verifies that the airplane meets the stringent security requirements.
[11:52.140 --> 12:00.840]  Also makes sure that any other guidelines and things that the regulator is going to review is also accounted for.
[12:01.320 --> 12:08.980]  We're spending, like most companies, we're always trying to innovate and find new cool things to make us more competitive,
[12:08.980 --> 12:11.560]  to make our customers find more value.
[12:11.860 --> 12:14.880]  And so we're partnering up with both internal and external parties.
[12:14.980 --> 12:16.460]  Some of these are private entities.
[12:16.460 --> 12:25.340]  Others are like academia and universities to go ahead and work together to come up with some new stuff.
[12:25.520 --> 12:27.460]  Things like machine learning and AI.
[12:27.460 --> 12:30.600]  Blockchain, got to throw that out there because that was the buzzwords of today.
[12:30.820 --> 12:36.540]  But you kind of look at those and work with those different folks to come up with new solutions.
[12:36.820 --> 12:39.500]  We have a dedicated team that's looking at air-to-ground interfaces.
[12:39.500 --> 12:45.880]  How do we get more data off the aircraft so we can do protective maintenance and trending and things like that.
[12:46.800 --> 12:51.460]  We also spend time doing risk assessments and risk management.
[12:51.680 --> 12:55.340]  We subscribe to the NIST framework, cybersecurity framework.
[12:55.500 --> 13:02.620]  This helps us focus on where we're going to, you know, what the big rocks are to go solve and spend money accordingly.
[13:03.260 --> 13:08.100]  Something else that's kind of aligned to risk management is the use of tabletop exercises.
[13:08.280 --> 13:13.660]  Red teaming, war gaming, different words to say the same thing as we're going to look at, you know, with different stakeholders
[13:13.660 --> 13:21.960]  to see, you know, are our assumptions good, where should we be focusing, are there any gaps in those assumptions and whatnot.
[13:22.260 --> 13:32.360]  And a new thing that our team within Boeing and product security has just stood up is a team dedicated to doing product security incident response.
[13:32.360 --> 13:39.620]  So as we get more investing partners and working with the security researcher community,
[13:39.620 --> 13:47.420]  we need folks that are dedicated to handling any issues so that we can mitigate and fix those accordingly.
[13:47.600 --> 13:56.980]  And also to account for the sustainment. Now, most folks realize that the operational phase of any system is the longer period and the most costly.
[13:56.980 --> 14:10.980]  So because aircraft, you know, are 30 plus year flying machine, we have to do the security sustainment activities to make sure that those aircraft remain cyber resilient, cyber secure over that life cycle.
[14:11.240 --> 14:20.400]  To help us, you know, investigate that, we do a lot of testing. And so we have a dedicated secure aircraft cyber test lab.
[14:20.400 --> 14:32.940]  This lab has a smattering of different systems that we can go use to test, but it also has reachback capability to other parts of the company and different other labs, whether they're different configuration or other systems.
[14:33.520 --> 14:43.300]  This allows us to do penetration testing, both in house as well as with, you know, trusted third parties that we brought on board or collaborated with to go look at stuff.
[14:43.300 --> 14:52.480]  And then lastly, we have these public and private partnerships that we are doing. You know, we're only as good as the folks we surround ourselves.
[14:52.480 --> 14:59.420]  And so we take an interest in leading industry standards activities, working with their European counterparts.
[14:59.600 --> 15:05.180]  One of the initiatives that we're tied into is their aircraft cyber initiative.
[15:05.180 --> 15:10.800]  And that's a tri-chair with the FAA, DHS and DOD and working with some of those special programs.
[15:10.820 --> 15:17.020]  And then I talked about the aviation ISAC. And that's something that we're heavily involved with.
[15:19.380 --> 15:23.980]  And so I just kind of talked about our secure lab. We call that our SCORE lab.
[15:23.980 --> 15:28.920]  And that stands for our Secure Center for Operational Research and Experimentation.
[15:29.180 --> 15:34.920]  We do a lot of different things in here from R&D to incident response, forensics if needed.
[15:34.920 --> 15:42.400]  Again, this is just one of the capabilities that, you know, as the airframer having access to the embedded avionics,
[15:42.400 --> 15:52.880]  the different avionics buses and having all those broke out into a way we can have access to them really helps with demonstrating, you know, the security of the airplane.
[15:56.010 --> 16:03.110]  And again, as part of that new focus on working together again with the folks like yourselves here at DEF CON,
[16:03.110 --> 16:08.870]  we've stood up a vulnerability disclosure kind of program. We didn't have one.
[16:09.130 --> 16:16.130]  And so, you know, that's something we just stood up. You can see it there on the URL right there.
[16:16.150 --> 16:20.290]  That helps us and, you know, folks that do responsible disclosure.
[16:20.290 --> 16:30.230]  Also trying to partner with, again, the Aerospace Village and other organizations that are really focusing on making good partnerships,
[16:30.230 --> 16:37.610]  education and teaching each other, you know, both sides of the desert, the aviation side and the security side.
[16:38.050 --> 16:47.630]  And again, those partnerships I just talked about, like the ACI working with different national labs, airlines, consultants or whatnot.
[16:47.690 --> 16:58.430]  Again, the goal is to do all of this work together to identify new issues, new gaps, things that maybe we didn't think about so that we can make our products better, safer, more secure.
[17:01.790 --> 17:09.830]  So speaking about a secure airplane development, I wanted to talk about some of the processes that we use to go do that.
[17:09.830 --> 17:17.630]  So we have the concept of a System Engineering V and System Engineering, but we focus on a System Security Engineering V.
[17:17.850 --> 17:23.830]  And what that really means is it still describes the same systematic process for doing design and development,
[17:23.830 --> 17:29.510]  but adding those security activities as an abstraction layer on top of the normal system development.
[17:29.510 --> 17:36.690]  And so what that means is, you know, we'll do system security analysis, we'll make sure, we'll do requirements verification,
[17:37.210 --> 17:44.750]  make sure that those systems have all the right requirements to reduce the risks based on those type of activities.
[17:45.390 --> 17:50.950]  Threat modeling, attack surface analysis, similar to how we do fault trees and fault hazard assessments,
[17:50.950 --> 17:59.290]  we do the same thing for security through a threat tree and looking at the anode gates that could lead to a security event.
[18:00.110 --> 18:06.110]  Those all aggregate up to what we do then at the airplane level. So we do this for each system on the aircraft,
[18:06.110 --> 18:11.630]  but then what does that look like? You know, maybe you don't have a significant risk at a single system,
[18:11.630 --> 18:18.190]  but if you were to aggregate all these different risks across the integrated aircraft architecture, does your analysis change?
[18:18.190 --> 18:24.610]  And so we do it at the airplane level as well. And then we also do the testing on some things you can't analyze away,
[18:24.610 --> 18:30.450]  you can't do through analysis. And so especially when we're talking about robustness and resiliency,
[18:30.450 --> 18:36.330]  we do a lot of the testing at the system and aircraft level, and that covers your traditional requirements based testing,
[18:36.330 --> 18:41.950]  as well as those type of more invasive, the penetration testing, the robustness,
[18:41.950 --> 18:46.650]  and then looking for vulnerabilities and things that have already been documented.
[18:48.850 --> 18:52.970]  Kind of talked about the security standards, and there's a whole lot of them in aviation.
[18:53.110 --> 18:58.010]  The top three are probably the most centric to aviation cybersecurity right now.
[18:58.010 --> 19:05.310]  And those are DL-326, DL-355, and DL-356 and their European counterparts and Euro-K.
[19:05.450 --> 19:11.150]  Those are all centered on how to do security risk assessments, how to do aircraft secure design.
[19:11.150 --> 19:19.090]  And actually, they're going to become the new methods of compliance on how to certify aircraft from a security standpoint.
[19:19.390 --> 19:26.230]  I listed a couple others, ARINC 811, that's an older, it's a little stale, but still has good information on it.
[19:26.470 --> 19:32.570]  But this kind of risk assessment guide and risk management framework, although not aviation centric,
[19:32.570 --> 19:41.030]  they still have a lot of good information. A couple of these are just specific to how to do security event logging,
[19:41.030 --> 19:46.290]  832, 835 is how to do secure software loading using PKI and digital signatures.
[19:46.550 --> 19:53.970]  Spec 42 is used within aviation as more of a digital information and certificate policies and whatnot.
[19:54.690 --> 20:01.710]  So these are just, again, some of the industry best standards that we use to help build and design secure aircraft.
[20:03.210 --> 20:13.630]  Some of the principles that are called out, like in, say, DL-356A, and again, other places within industry are kind of listed on the slide here.
[20:13.630 --> 20:17.870]  So we do get a derived benefit from having such a strong safety culture.
[20:18.450 --> 20:24.230]  That means that, you know, typically we want to be safe by default, but we're working toward being secured by default.
[20:24.530 --> 20:30.130]  Now these can be at odds sometimes. And so there's always de-confliction and trays that have to happen.
[20:31.050 --> 20:36.190]  Integrity monitoring, defense in depth, you know, availability, network segmentation.
[20:36.190 --> 20:42.590]  These aren't really new, or these aren't specific to aviation, but again, the principles still apply to us.
[20:42.890 --> 20:47.670]  Something that I think is a little more unique on aviation is configuration management.
[20:47.930 --> 20:53.390]  So we have the ability to do maintenance and do what we call data loading and install new software on the aircraft.
[20:53.390 --> 20:59.110]  Now to protect that against misuse, we have a lot of different inhibits and interlocks that prevent that.
[20:59.110 --> 21:09.550]  Some of this is discrete logic. We might use a mechanical interlock or an avionics label or bus, like 429, that you need to be in a certain state to accomplish that.
[21:09.830 --> 21:17.410]  We do look at systems at design assurance level for their criticality as called out on DL-170AC.
[21:17.410 --> 21:22.610]  We also are now looking at security assurance level that is called out on DL-356.
[21:23.150 --> 21:31.270]  And then access control and authentication, least privilege. Again, these aren't unique to aviation, but we're still leveraging them the best we can.
[21:34.480 --> 21:42.820]  And then just to plug to the AISAC, the Aviation Information Sharing and Analysis Center, I kind of talked to them a little bit before.
[21:43.140 --> 21:49.440]  But again, when we're talking cybersecurity and we're talking an industry like this where it has such a global impact, right?
[21:49.440 --> 21:59.920]  If you have, say, an aircraft was to get hacked or have some major issues, you would need to know that because that could propagate through a fleet of aircraft across the world.
[21:59.920 --> 22:05.600]  And so to help mitigate that, again, we're part of the Aviation AISAC. We help stand that up.
[22:05.640 --> 22:18.060]  We engage regularly with both airline customers, our supply base, other industry and government partners, again, to collectively build a better and more secure industry.
[22:20.620 --> 22:23.840]  And so just a couple more slides here.
[22:24.140 --> 22:39.740]  So managing ongoing risk, I talked about us doing tabletops. We tend to do this through multiple iterations, whether it's an existing system that's been out there for a while or a new system that we want to bring online.
[22:39.820 --> 22:48.400]  But essentially, we want to bring the right people and stakeholders together, get different views and what that really means, understand what our threats are.
[22:48.400 --> 22:53.780]  What do we need to do in the future to build more resilient aircraft?
[22:54.040 --> 23:02.120]  And so that's really pushing us towards, again, getting folks aware of why cybersecurity on aircraft matter and building that new cybersecurity culture.
[23:04.360 --> 23:12.820]  So in summary, just wanted folks to understand within communities like this is that we don't just stick stuff on an aircraft.
[23:12.820 --> 23:18.460]  We actually spend a lot of time looking at cybersecurity and it's looked at across the ecosystem.
[23:18.460 --> 23:22.360]  We're leveraging the industry best standards and practices.
[23:22.520 --> 23:29.660]  We embed security throughout the entire product development lifecycle.
[23:29.980 --> 23:39.700]  One of the ways that we help to be more secure is collaboration with our stakeholders, because that's really the way that we can reduce risk collectively.
[23:39.700 --> 23:43.580]  We do take a proactive stance on managing ongoing risk.
[23:43.580 --> 23:47.540]  And so it just doesn't happen by itself.
[23:47.540 --> 23:52.060]  Cyber safety, cybersecurity, and cyber resiliency are key principles within Boeing.
[23:52.940 --> 23:59.420]  And ultimately, the message I want to share with the folks here at DEF CON and Aerospace Village is we want to proactively work with you.
[23:59.420 --> 24:05.100]  We want to work with the researchers, want to work with folks that are interested in making the industry better and more secure.
[24:05.560 --> 24:12.720]  And so hopefully this gave you a little bit of insight into how Boeing is managing a secure lifecycle.
[24:12.720 --> 24:16.580]  And going forward, hope to work with you all someday soon.
[24:17.120 --> 24:19.640]  Thanks for watching, and we'll talk to you later.
